ClamAV doesn't scan messages after clean install

After clean install HestiaCP it looks like clamav doesn’t scan messages at all.
The service is running, the socket is created, the databases are updated and there are no errors, but there is no information about mail scanning in /var/log/clamav/clamav.log. Checking is enabled for mail domains and the daemon is running. There is also no information in /var/log/exim4/mainlog about checking for viruses. How to find the reason?

Check if it gets detected.

If ClamAV is enabled it should also be enabled in the first few lines in /etc/exim4/exim.conf.template

Yes i’ve checked and message was delivered without any problem
In exim4.conf CLAMD=yes

UPD: Send mesage from here http://www.aleph-tec.com/eicar/index.php

It looks there is an issue with

It only successfully send the empty “email” without virus.

Sending email with the link I posted before:

2022-10-10 15:49:26 1ohv1y-000t1o-Jr H=static.xxxx.clients.your-server.de [xxxx] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=[email protected] rejected after DATA: Message contains a virus (Eicar-Signature) and has been rejected

In my case it looks like this:

 <= [email protected] H=batch.outbound.your-site.com [205.233.73.32] P=esmtps X=TLS1.2:ECDHE_SECP521R1__RSA_SHA512__AES_256_GCM:256 CV=no S=4041 [email protected]
2022-10-10 22:33:15 1ohyWY-000ETb-DK => xxx <[email protected]> R=localuser T=dovecot_virtual_delivery
2022-10-10 22:33:15 1ohyWY-000ETb-DK Completed

UPD: Tested with mutt and same result - i’ve got message

If send from the same server it is always excepted…

Use a different server or DM me your domain…

By default the http://www.aleph-tec.com/eicar/index.php sends you 2 emails 1 containing the virus and a second one not.

See here:

2022-10-10 19:59:34 1ohyw2-0017Au-9N <= [email protected] H=batch.outbound.your-site.com [205.233.73.32] P=esmtps X=TLS1.2:ECDHE_SECP521R1__RSA_SHA512__AES_256_GCM:256 CV=no S=3958 [email protected]

2022-10-10 19:59:34 1ohyw2-0017Au-9N => info <[email protected]> R=localuser T=dovecot_virtual_delivery

Yes i have checked all the options while testing. Got 3 messages from 7 but there is no other logged values just this:

2022-10-10 22:27:08 1ohyQe-000EAp-92 Completed
2022-10-10 22:33:15 1ohyWY-000ETb-DK <= [email protected] H=batch.outbound.your-site.com [205.233.73.32] P=esmtps X=TLS1.2:ECDHE_SECP521R1__RSA_SHA512__AES_256_GCM:256 CV=no S=4041 [email protected]
2022-10-10 22:33:15 1ohyWY-000ETb-DK => xxx <[email protected]> R=localuser T=dovecot_virtual_delivery
2022-10-10 22:33:15 1ohyWY-000ETb-DK Completed
2022-10-10 22:33:44 1ohyX1-000ETm-F3 <= [email protected] H=batch.outbound.your-site.com [205.233.73.32] P=esmtps X=TLS1.2:ECDHE_SECP521R1__RSA_SHA512__AES_256_GCM:256 CV=no S=4203 [email protected]
2022-10-10 22:33:44 1ohyX1-000ETm-F3 => xxx <[email protected]> R=localuser T=dovecot_virtual_delivery
2022-10-10 22:33:44 1ohyX1-000ETm-F3 Completed
2022-10-10 22:33:44 1ohyX1-000ETn-Iu <= [email protected] H=batch.outbound.your-site.com [205.233.73.32] P=esmtps X=TLS1.2:ECDHE_SECP521R1__RSA_SHA512__AES_256_GCM:256 CV=no S=6416 [email protected]
2022-10-10 22:33:44 1ohyX1-000ETn-Iu => xxx <[email protected]> R=localuser T=dovecot_virtual_delivery
2022-10-10 22:33:44 1ohyX1-000ETn-Iu Completed

Succesfully got malwared gif, malwared zip and passworded zip
And nothing new in the clamav.log or reject.log

I think i found the problem. Tried to scan with clamdscan /home/user/mail directory and got error - permission denied. Maybe problem is here? Clamd just cannot access folder with mails? Which permissions should be for home user directory? And who have to be owner? In my case it’s root. Is it right?

I don’t think .zip files and images are scanned properly.

Please verify (EICAR) Antivirus Mail Test for ClamAV is working when sending from a separate server…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.